Re: Applets within Wrapper that need root/administrative privileges
Re: Applets within Wrapper that need root/administrative privileges
- Subject: Re: Applets within Wrapper that need root/administrative privileges
- From: Finlay Dobbie <email@hidden>
- Date: Thu, 19 Dec 2002 23:10:42 +0000
On Thursday, December 19, 2002, at 02:36 pm, Bill Bumgarner wrote:
Do the applets really need to be SUID root or could you use the
Authorization framework to request permission to launch the applets as
root?
You can use the Authorization framework in conjunction with a suid root
tool...
As such, your application should test to make sure that the applets
have not been modified. The command line tools md5 and sum are
useful for this and both use algorithms that can be found in source
form that can easily be plugged into your application. Of course,
someone could replace the applets and change the checksum in your
application binary, but that is well beyond the casual cracker.
You may underestimate the abilities of the "casual" cracker. Still a
security risk.
Apple has a tech note on the subject. I would post a link, but I
don't have net access. The tech note is specifically related to the
Authorization APIs.
AFAIK, Apple has always recommended *against* using AEWP().
If you really do need to go the SUID route, an installer that can
modify the permissions is probably the best route and has some
advantages in and of itself. In particular, it would allow a user
with admin privileges to install the application such that
non-administrative users can use the app.
Also note that AEWP() doesn't return the pid of the child proc. I have
no idea why this should be, it's very annoying. Of course you can pass
it back with a pipe, but still...
-- Finlay
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.